Phishing Attacks Announced by Comprehensive Sleep Care Center, McLaren Health Plan, and Ivy Rehab Physical Therapy

Loudoun Medical Group, dba Comprehensive Sleep Care Center (CSCC), has been affected by a phishing attack that occurred on or around June 19, 2019.

The IT department was alerted to a potential email security breach when suspicious activity was detected in an employee’s email account. The password was immediately changed to prevent further unauthorized access and the incident was investigated.

Forensic investigators confirmed the breach was confined to a single email account that was accessed by an unauthorized individual between June 15, 2019 and June 19, 2019.

On October 17, 2019, the investigators confirmed which patient information had been accessed. The information in the email account varied for each patient and may have included the patient’s name along with one or more of the following data elements: Date of birth, Social Security number, passport number, driver’s license number, medical record number, payment card information, patient account number, financial account information, medical history, health insurance information, treatment information and/or date(s) of service.

Additional safeguards have now been implemented to prevent further email security breaches and affected individuals have been provided with information on how they can minimize risk of PHI misuse. To date, no evidence of attempted or actual misuse of patient information has been found. The PHI of 15,575 patients was potentially compromised, according to the HHS’ Office for Civil Rights’ breach portal.

McLaren Health Plan Affected by Phishing Attack on Business Associate

McLaren Health Plan in Flint, MI has discovered the protected health information of some of its members may have been accessed by unauthorized individuals as a result of a phishing attack on one of its business associates, Magellan Rx Management. Magellan Rx Management provided services to the health plan up until December 31, 2018.

Magellan Health announced on November 27, 2019 that its subsidiary, Magellan Rx Management, experienced a phishing attack on May 28, 2019. Magellan Rx discovered the attack on July 5, 2019 and launched a thorough investigation to determine the extent of the breach. The investigation confirmed the breach was limited to a single email account, and that the email account contained the protected health information of certain McLaren Health Plan members such as names, birth dates, health plan member ID numbers, health plan name, provider, diagnosis, drug, and authorization information. McLaren Health plan was informed of the breach on October 4, 2019.

The aim of the attack appears to have been solely to use the email account to send spam. No evidence of data access or misuse has been uncovered.  Magellan Health has since enhanced email security and is providing further training to employees to help them detect malicious emails in the future.

Email Security Breach at Ivy Rehab Physical Therapy

Ivy Rehab Physical Therapy, a network of 200 physical therapy clinics, has experienced a phishing attack in which the protected health information of patients was potentially compromised.

The company discovered the attack in May 2019 and launched an investigation. On September 26, 2019, third-party forensic investigators determined that the protected health information of certain patients was stored in the compromised accounts and may have been accessed by the attackers. No reports of misuse of patient information have been received and no actual evidence of unauthorized data access was identified.

The information potentially accessed included names along with one or more of the following data elements: Health information, Social Security numbers, and financial information. Affected individuals have been offered complimentary identity theft restoration and credit monitoring services.

In response to the attack, Ivy Rehab has changed its password policies and requires more frequent password changes and further, ongoing security awareness training is being provided to staff members.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates the PHI of 125,000 individuals was compromised in the breach.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.